170/68 Thursday, May 8, 2025
Google has released its May 2025 Android security update, addressing 46 vulnerabilities. Among them is CVE-2025-27363, a high-severity flaw (CVSS score: 8.1) that has already been exploited in the wild. While Google did not disclose specific details about the attackers or the nature of the exploitation, it confirmed that the vulnerability resides in the System component of Android. It allows local code execution without requiring elevated privileges or user interaction.
In mid-March, Meta also issued an advisory about the same vulnerability, identifying it as an out-of-bounds write in FreeType version 2.13.0 and earlier. The flaw occurs due to incorrect memory handling when processing TrueType GX and variable fonts. Specifically, the issue arises when a value is incorrectly cast from a signed short to an unsigned long and incremented, causing a wraparound condition that results in an undersized heap buffer allocation, followed by an out-of-bounds write of up to six values—potentially leading to arbitrary code execution.
While neither Google nor Meta has released technical details about the threat actors or the scope of the attacks, both companies confirm the vulnerability has been exploited in limited cases. FreeType versions after 2.13.0 are not affected. However, security experts warn that many Linux distributions still rely on older versions of the FreeType library, leaving them potentially vulnerable to similar attacks.
